You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by fe...@apache.org on 2023/02/26 13:10:06 UTC
[kyuubi] branch master updated: [KYUUBI #4376] Support to config the kyuubi service administrator with kyuubi conf
This is an automated email from the ASF dual-hosted git repository.
feiwang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 59c1875bc [KYUUBI #4376] Support to config the kyuubi service administrator with kyuubi conf
59c1875bc is described below
commit 59c1875bc16a4fa5a1f8e3e9d1c0c0ad77431e7e
Author: Tianlin Liao <ti...@ebay.com>
AuthorDate: Sun Feb 26 21:09:57 2023 +0800
[KYUUBI #4376] Support to config the kyuubi service administrator with kyuubi conf
### _Why are the changes needed?_
Close #4376
### _How was this patch tested?_
- [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #4405 from lightning-L/kyuubi-4376.
Closes #4376
1a01a75a8 [Tianlin Liao] rename and refactor
7324cab3d [Tianlin Liao] [KYUUBI #4376] Support to config the kyuubi service administrator with kyuubi conf
Authored-by: Tianlin Liao <ti...@ebay.com>
Signed-off-by: fwang12 <fw...@ebay.com>
---
docs/deployment/settings.md | 1 +
.../scala/org/apache/kyuubi/config/KyuubiConf.scala | 10 ++++++++++
.../apache/kyuubi/server/api/v1/AdminResource.scala | 13 +++++++++----
.../kyuubi/server/api/v1/AdminResourceSuite.scala | 21 +++++++++++++++++++++
4 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/docs/deployment/settings.md b/docs/deployment/settings.md
index 82c8111b6..dac72825e 100644
--- a/docs/deployment/settings.md
+++ b/docs/deployment/settings.md
@@ -451,6 +451,7 @@ You can configure the Kyuubi properties in `$KYUUBI_HOME/conf/kyuubi-defaults.co
| Key | Default | Meaning | Type | Since |
|----------------------------------------------------------|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------|
+| kyuubi.server.administrators || Comma-separated list of Kyuubi service administrators. We use this config to grant admin permission to any service accounts. | seq | 1.8.0 |
| kyuubi.server.info.provider | ENGINE | The server information provider name, some clients may rely on this information to check the server compatibilities and functionalities. <li>SERVER: Return Kyuubi server information.</li> <li>ENGINE: Return Kyuubi engine information.</li> | string | 1.6.1 |
| kyuubi.server.limit.batch.connections.per.ipaddress | <undefined> | Maximum kyuubi server batch connections per ipaddress. Any user exceeding this limit will not be allowed to connect. | int | 1.7.0 |
| kyuubi.server.limit.batch.connections.per.user | <undefined> | Maximum kyuubi server batch connections per user. Any user exceeding this limit will not be allowed to connect. | int | 1.7.0 |
diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
index 70919d6e8..517d92db3 100644
--- a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
+++ b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
@@ -2429,6 +2429,16 @@ object KyuubiConf {
.timeConf
.createWithDefaultString("PT30M")
+ val SERVER_ADMINISTRATORS: ConfigEntry[Seq[String]] =
+ buildConf("kyuubi.server.administrators")
+ .doc("Comma-separated list of Kyuubi service administrators. " +
+ "We use this config to grant admin permission to any service accounts.")
+ .version("1.8.0")
+ .serverOnly
+ .stringConf
+ .toSequence()
+ .createWithDefault(Nil)
+
val OPERATION_SPARK_LISTENER_ENABLED: ConfigEntry[Boolean] =
buildConf("kyuubi.operation.spark.listener.enabled")
.doc("When set to true, Spark engine registers an SQLOperationListener before executing " +
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/api/v1/AdminResource.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/api/v1/AdminResource.scala
index 6e05ee27c..104dd1045 100644
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/api/v1/AdminResource.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/api/v1/AdminResource.scala
@@ -41,7 +41,8 @@ import org.apache.kyuubi.server.api.ApiRequestContext
@Tag(name = "Admin")
@Produces(Array(MediaType.APPLICATION_JSON))
private[v1] class AdminResource extends ApiRequestContext with Logging {
- private lazy val administrator = Utils.currentUser
+ private lazy val administrators = fe.getConf.get(KyuubiConf.SERVER_ADMINISTRATORS).toSet +
+ Utils.currentUser
@ApiResponse(
responseCode = "200",
@@ -54,7 +55,7 @@ private[v1] class AdminResource extends ApiRequestContext with Logging {
val userName = fe.getSessionUser(Map.empty[String, String])
val ipAddress = fe.getIpAddress
info(s"Receive refresh Kyuubi server hadoop conf request from $userName/$ipAddress")
- if (!userName.equals(administrator)) {
+ if (!isAdministrator(userName)) {
throw new NotAllowedException(
s"$userName is not allowed to refresh the Kyuubi server hadoop conf")
}
@@ -73,7 +74,7 @@ private[v1] class AdminResource extends ApiRequestContext with Logging {
val userName = fe.getSessionUser(Map.empty[String, String])
val ipAddress = fe.getIpAddress
info(s"Receive refresh user defaults conf request from $userName/$ipAddress")
- if (!userName.equals(administrator)) {
+ if (!isAdministrator(userName)) {
throw new NotAllowedException(
s"$userName is not allowed to refresh the user defaults conf")
}
@@ -92,7 +93,7 @@ private[v1] class AdminResource extends ApiRequestContext with Logging {
val userName = fe.getSessionUser(Map.empty[String, String])
val ipAddress = fe.getIpAddress
info(s"Receive refresh unlimited users request from $userName/$ipAddress")
- if (!userName.equals(administrator)) {
+ if (!isAdministrator(userName)) {
throw new NotAllowedException(
s"$userName is not allowed to refresh the unlimited users")
}
@@ -212,4 +213,8 @@ private[v1] class AdminResource extends ApiRequestContext with Logging {
engine.getUser,
engine.getSubdomain)
}
+
+ private def isAdministrator(userName: String): Boolean = {
+ administrators.contains(userName);
+ }
}
diff --git a/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/AdminResourceSuite.scala b/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/AdminResourceSuite.scala
index d7cd4840e..ffd4a9140 100644
--- a/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/AdminResourceSuite.scala
+++ b/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/AdminResourceSuite.scala
@@ -37,6 +37,9 @@ class AdminResourceSuite extends KyuubiFunSuite with RestFrontendTestHelper {
private val engineMgr = new KyuubiApplicationManager()
+ override protected lazy val conf: KyuubiConf = KyuubiConf()
+ .set(KyuubiConf.SERVER_ADMINISTRATORS, Seq("admin001"))
+
override def beforeAll(): Unit = {
super.beforeAll()
engineMgr.initialize(KyuubiConf())
@@ -64,6 +67,24 @@ class AdminResourceSuite extends KyuubiFunSuite with RestFrontendTestHelper {
.header(AUTHORIZATION_HEADER, s"BASIC $encodeAuthorization")
.post(null)
assert(200 == response.getStatus)
+
+ val admin001AuthHeader = new String(
+ Base64.getEncoder.encode("admin001".getBytes()),
+ "UTF-8")
+ response = webTarget.path("api/v1/admin/refresh/hadoop_conf")
+ .request()
+ .header(AUTHORIZATION_HEADER, s"BASIC $admin001AuthHeader")
+ .post(null)
+ assert(200 == response.getStatus)
+
+ val admin002AuthHeader = new String(
+ Base64.getEncoder.encode("admin002".getBytes()),
+ "UTF-8")
+ response = webTarget.path("api/v1/admin/refresh/hadoop_conf")
+ .request()
+ .header(AUTHORIZATION_HEADER, s"BASIC $admin002AuthHeader")
+ .post(null)
+ assert(405 == response.getStatus)
}
test("refresh user defaults config of the kyuubi server") {